Ankura CTIX
Recent Ankura cases dealing with Morpheus ransomware group suggest that a new approach to the ransomware ecosystem is gaining popularity among threat actors. Typically, when a ransom is not paid, the threat actor resorts to leaking the victim’s data. In these situations, Ankura’s Cyber Threat Investigation & Expert Services (CTIX) analysts navigate the dark web and conduct covert downloads to determine exactly what data has been publicly leaked and exposed on the threat actor’s dark web leak site. Although tactics vary slightly, the standard procedure among most ransomware groups that do not receive a ransom payment is to post the victim’s stolen data for free. This is intended to pressure and incentivize future victims into paying. However, the Ankura CTIX team has observed that Morpheus is diverging from this operating model and instead taking a private-sales approach, rather than following the typical public data-leak blueprint.
Morpheus: Who Are They?
Morpheus is a relatively new ransomware and data-extortion group that facilitates a double-extortion operation, both encrypting files and stealing sensitive data as leverage over victims. The group was first observed in late 2024 — their dark web leak site went live around December 2024 — and has since continued to remain active. Morpheus has largely claimed high-profile victims such as an Australian pharmaceutical company and a German electronics manufacturer, highlighting its focus on large, high-value targets in critical industries like pharmaceuticals, manufacturing, and critical infrastructure. These are usually organizations with significant data assets or sensitive intellectual property, reflecting Morpheus’s “big game hunting” strategy. Unlike opportunistic attackers who might hit a large volume of small targets for a higher quantity of smaller payouts, Morpheus’s approach is to extract large sums from a fewer number of high-value victims.
Let Us Take a Look: Typical Ransomware Data-Leak Playbook
Most ransomware/extortion attackers follow a predictable double-extortion pattern. They first break into a victim’s network, often encrypting critical files and leaving a ransom note. Next, they steal sensitive data and threaten to leak it publicly. The “name-and-shame” leak site is then used to pressure the victim: The attacker lists the company’s name and breach details on a dark web site, alluding that the hack occurred. After some time — with the length varying from group to group — the threat actor will often release a small set of stolen files (e.g. internal documents or personal data), commonly referred to as proof-of-life samples, showing they have the victim’s data. Finally, the group typically sets a countdown. If the ransom is not paid by the deadline, they dump the full stolen dataset publicly, for example by publishing a zip file, a download link, or torrent on their leak site. This public leak both punishes the victim and demonstrates the threat actor’s intended resolution to future victims.
What Makes Them Different: Morpheus’s ‘Private Sale’ Model
Morpheus uses many of the same initial tactics — infiltrating the network, stealing data, and demanding a ransom. However, Morpheus’s data-leak strategy diverges in a crucial way: Instead of publicly dumping all stolen files for free, it keeps the bulk of the data behind closed doors and offers it for sale to select parties. On Morpheus’s dark web leak site, each victim’s page shows a teaser: a brief description of the stolen data, a couple of sample proof-of-life files (or screenshots) to prove the theft, and a small encrypted archive — Ankura’s CTIX team observed this file is often named “AD_[VictimName].rar” — containing a few .dat files. Those .dat files are essentially placeholders or pieces of data — they do not contain the dataset, grant access to the full dataset, or reveal the stolen data itself. These active directory proof-of life “samples” are intended to show that Morpheus has the victim’s data without giving anyone direct access to the full content. To get all the stolen data, a victim — or any interested buyer — must contact Morpheus by either creating an account on Morpheus’s site and contacting the group via an internal chat or by emailing their official “contact” email address listed on the group’s leak site. In short, Morpheus does not freely publish a victim’s entire data set after a failed ransom; it prefers discreet transactions — usually for a fee — with those who seek the data.
Why Morpheus Prefers Private Sales: A Different Strategy
Morpheus’s tactics appear driven by profit maximization and risk control. By gating the full stolen data behind private negotiations, the group ensures it can still profit even if the victim refuses to pay, by selling the information to others (e.g. competitors, criminals, or data brokers). This approach preserves the value of the data — if the files are not dumped publicly, they remain exclusive and more monetizable. Private sales allow higher prices and potentially multiple buyers, whereas a free public leak would immediately exhaust the data’s black-market value. Moreover, retaining control of distribution gives Morpheus more leverage over the victim for longer; the data is not simply unleashed, so the threat remains active indefinitely. The other likely incentive is that this method suggests a lower profile and more selective operation: Morpheus markets itself like a “cyber extortion boutique,” targeting big, deep-pocketed companies and negotiating in closed channels. By using a login-protected leak site — with CAPTCHAs and limited data shown publicly — they limit who can access stolen information, thwarting security researchers or law enforcement from easily obtaining evidence. This semi-private model likely helps Morpheus avoid some heat from authorities and maintain a “professional,” lowkey reputation. All these reasons — economics, maintaining leverage, controlled distribution, and potentially decreased risk from law enforcement — help explain why Morpheus diverges from the open-dump norm.
How Can Ankura Help?
Ankura is here to assist if you are dealing with a ransomware case — either Morpheus or otherwise — that requires guidance related, but not limited, to threat actor profiling/threat intelligence, incident response, covert threat actor leak site data collection, and data mining. Facing a cyber incident with a threat actor such as Morpheus requires careful intelligence gathering and response planning. Ankura’s incident response team supports organizations by investigating the breach and its scope, as well as working with CTIX to analyze Morpheus’s leaked samples and correlate them with your data to understand what is at risk. Ankura’s CTIX team provides ongoing dark web monitoring to see if your data appears outside of the Morpheus leak site and is present elsewhere on the deep and dark web or clear net. Ankura’s cyber teams can assist in communication strategy, ensuring your incident messaging reflects accurate threat context. By combining timely threat intelligence with robust incident response expertise, we can help clients navigate Morpheus — and other threat actor — cyberattacks safely and strategically.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC, its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
